Which Directory Service do you use for your network?
None NIS LDAP LDAP + Kerberos Samba Active Directory eDirectory other ( 433 votes ~ 8 comments )
You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.
To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.
This is the comment you were replying to, attached to the article Question: How much Security is enough?:
#7 Re: Question: How much Security is enough? Posted by Eirik (129.177.xx.xx) on Thu 8 Sep 2005 at 14:26 Wrong conclusion! (Incidentially I'm reading "the Art of Deception" now (about halfway through), and I'm not overly impressed. Too light on real details for my taste (makes for a little dull reading). Don't get me wrong, it's a great book for management, and admins that might not have tried getting into the hacker mindset much -- but I hope and believe there's little to shock experienced sysadmins in the book.) Probably the most relevant part of the book is the last chapters, with recommendations on security policies, and staff training. But not ever writing anyting down ? What ? Not sharing info with your fellow admins ? If anything policies should be formed along with the team. Everyone needs to know why and how. Then it needs to be documented. But, you need to secure that information. Don't leave it up on your intranet. Either make a hardcopy manual, and lock it up, in a real safe, or share the information, but encrypted. Something as simple as using gpg and distributing it via email might be enough. But remember to watch out for temp-files and swap; make sure there's no way to avoid the encryption. There's a reason all those three letter government institutions have a lot of reports with "TOP SECRET" watermarks. It's so that it's obvious to anyone handling the document that the information is sensitive. You need to think about the lifecycle of sensistive information; it must be protected, it must be securly destroyed when it's out of date. In abscence of a real budget, burning documents in the backyard and stirring up the ash, works about as well as an industry grade shredder. Effective security is about awareness of the sensitive nature of the infomation you know. Maybe some of it never should be written down (eg passwords), but the important part isn't wether it's written down or not, it's wether it's available to third parties, and that you're aware if and how a third party might get to know the information. Security through obsucrity, isn't. Remember that a lot of information regarding the structure of you network can be learned, and should be easy to learn, from eg dns names. After all, you want your network to be accesible to your own users. The message in the Art of Deception, is that awarness and education is an important security tool. Not that giving people the information they need to get the their job done is wrong, nor that all sensitive data should be memorized because you can't trust any safes of computer systems.
(Incidentially I'm reading "the Art of Deception" now (about halfway through), and I'm not overly impressed. Too light on real details for my taste (makes for a little dull reading). Don't get me wrong, it's a great book for management, and admins that might not have tried getting into the hacker mindset much -- but I hope and believe there's little to shock experienced sysadmins in the book.)
Probably the most relevant part of the book is the last chapters, with recommendations on security policies, and staff training.
But not ever writing anyting down ? What ? Not sharing info with your fellow admins ? If anything policies should be formed along with the team. Everyone needs to know why and how. Then it needs to be documented.
But, you need to secure that information. Don't leave it up on your intranet. Either make a hardcopy manual, and lock it up, in a real safe, or share the information, but encrypted. Something as simple as using gpg and distributing it via email might be enough. But remember to watch out for temp-files and swap; make sure there's no way to avoid the encryption.
There's a reason all those three letter government institutions have a lot of reports with "TOP SECRET" watermarks. It's so that it's obvious to anyone handling the document that the information is sensitive.
You need to think about the lifecycle of sensistive information; it must be protected, it must be securly destroyed when it's out of date. In abscence of a real budget, burning documents in the backyard and stirring up the ash, works about as well as an industry grade shredder.
Effective security is about awareness of the sensitive nature of the infomation you know. Maybe some of it never should be written down (eg passwords), but the important part isn't wether it's written down or not, it's wether it's available to third parties, and that you're aware if and how a third party might get to know the information.
Security through obsucrity, isn't. Remember that a lot of information regarding the structure of you network can be learned, and should be easy to learn, from eg dns names. After all, you want your network to be accesible to your own users.
The message in the Art of Deception, is that awarness and education is an important security tool. Not that giving people the information they need to get the their job done is wrong, nor that all sensitive data should be memorized because you can't trust any safes of computer systems.
Posting Format:
Inappropriate comments will be removed.
Some help on entry formatting is available
Username:
Password:
[ Advanced Login ]
Register Account
